Krebs on Security

In-depth security news and investigation

FBI: North Korea to Blame for Sony Hack

The FBI today said it has determined that the North Korean government is responsible for the devastating recent hack attack against Sony Pictures Entertainment. Here’s a brief look the FBI’s statement, what experts are learning about North Korea’s cyberattack capabilities, and what this incident means for other corporations going forward.

In a statement released early Friday afternoon, the FBI said that its investigation — along with information shared by Sony and other U.S. government departments and agencies — found that the North Korean government was responsible.

The FBI said it couldn’t disclose all of its sources and methods, but that the conclusion was based, in part, on the following:

-“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”

-“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”

-“Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.”

The agency added that it was “deeply concerned” about the destructive nature of this attack on a private sector entity and the ordinary citizens who work there, and that the FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential information.

“Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States,” the FBI said. “Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.”

SPE was hit with a strain of malware designed to wipe all computer hard drives within the company’s network. The attackers then began releasing huge troves of sensitive SPE internal documents, and, more recently, started threatening physical violence against anyone who viewed the Sony movie “The Interview,” a comedy that involves a plot to assassinate North Korean leader Kim Jong Un. Not long after a number of top movie theater chains said they would not show the film, Sony announced that it would cancel the movie’s theatrical release.

Apparently emboldened by Sony’s capitulation, the attackers are now making even more demands. According to CNN, Sony executives on Thursday received an email apparently from the attackers said they would no longer release additional stolen Sony Pictures data if the company announced that it would also cancel any plans to release the movie on DVD, Netflix or elsewhere. The attackers also reportedly demanded that any teasers and trailers about The Interview online be removed from the Internet.

A ‘MAGIC WEAPON’

Little is publicly known about North Korea’s cyber warfare and hacking capabilities, but experts say North Korean leaders view cyber warfare capabilities as an important asymmetric asset in the face of its perceived enemies — the United States and South Korea. An in-depth report (PDF) released earlier this year by HP Security Research notes that in November 2013, North Korea’s “dear leader” Kim Jong Un referred to cyber warfare capabilities as a “magic weapon” in conjunction with nuclear weapons and missiles.

“Although North Korea’s limited online presence makes a thorough analysis of their cyber warfare capabilities a difficult task, it must be noted that what is known of those capabilities closely mirrors their kinetic warfare tactics,” HP notes. “Cyber warfare is simply the modern chapter in North Korea’s long history of asymmetrical warfare. North Korea has used various unconventional tactics in the past, such as guerilla warfare, strategic use of terrain, and psychological operations. The regime also aspires to create viable nuclear weapons.”

Sources familiar with the investigation tell KrebsOnSecurity that the investigators believe there may have been as many as several dozen individuals involved in the attack, the bulk of whom hail from North Korea. Nearly a dozen of them are believed to reside in Japan.

Headquarters of the Chongryon in Japan.

According to HP, a group of ethnic North Koreans residing in Japan known as the Chongryon are critical to North Korea’s cyber and intelligence programs, and help generate hard currency for the regime. The report quotes Japanese intelligence officials stating that “the Chongryon are vital to North Korea’s military budget, raising funds via weapons trafficking, drug trafficking, and other black market activities.” HP today published much more detail about specific North Korean hacking groups that may have played a key role in the Sony incident given previous such attacks.

While the United States government seems convinced by technical analysis and intelligence sources that the North Koreans were behind the attack, skeptics could be forgiven for having doubts about this conclusion. It is interesting to note that the attackers initially made no mention of The Interview, and instead demanded payment from Sony to forestall the release of sensitive corporate data. It wasn’t until well after the news media pounced on the idea that the attack was in apparent retribution for The Interview that we saw the attackers begin to mention the Sony movie.

In any case, it’s unlikely that U.S. officials relish the conclusion that North Korea is the aggressor in this attack, because it forces the government to respond in some way and few of the options are particularly palatable. The top story on the front page of the The Wall Street Journal today is an examination of what the U.S. response to this incident might look like, and it seems that few of the options on the table are appealing to policymakers and intelligence agencies alike.

The WSJ story notes that North Korea’s only connections to the Internet run through China, but that pressuring China to sever or severely restrict those connections is unlikely to work.

Likewise, engaging in a counter-attack could prove fruitless, or even backfire, the Journal observed, “in part because the U.S. is able to spy on North Korea by maintaining a foothold on some of its computer systems. A retaliatory cyberstrike could wind up damaging Washington’s ability to spy on Pyongyang…Another former U.S. official said policy makers remain squeamish about deploying cyberweapons against foreign targets.”

IMPLICATIONS FOR US FIRMS

If this incident isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working — and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.

A critical step that many organizations fail to take is keeping a basic but comprehensive and ongoing inventory of all the organization’s IT assets. Identifying where the most sensitive and mission-critical data resides (identifying the organization’s “crown jewels”) is another essential exercise, but too many organizations fail to take the critical step of encrypting this vital information.

Over the past several years, we’ve seen a remarkable shift toward more destructive attacks. Most organizations are accustomed to tackling malware infestations within their IT environments, but few are prepared to handle fast-moving threats designed to completely wipe data from storage drives across the network.

As I note in my book Spam Nation, miscreants who were once content to steal banking information and blast out unsolicited commercial email increasingly are using their skills to hold data for ransom using malware tools such as ransomware. I’m afraid that as these attackers become better at situational awareness — that is, gaining a better understanding of who their victims are and the value of the assets the intruders have under their control — these attacks and ransom demands will become more aggressive and costly in the months ahead.

This entry was posted on Friday, December 19th, 2014 at 1:50 pm and is filed under A Little Sunshine, The Coming Storm.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

104 comments

“This is GOP. You have suffered through enough threats,” the message, which was also posted to Pastebin, read. “The interview may release now. But be careful. September 11 may happen again if you don’t comply with the rules: Rule #1: no death scene of Kim Jong Un being too happy; Rule #2: do not test us again ; Rule #3: if you make anything else, we will be here ready to fight.”

“The interview may release now. But be careful. September 11 may happen again if you don’t comply with the rules: Rule #1: no death scene of Kim Jong Un being too happy; Rule #2: do not test us again ; Rule #3: if you make anything else, we will be here ready to fight.”

So we can now watch the movie and it can now be released even though KIM JONG UN is being killed. It also makes me wonder if all the media pounding on the the hack wasn’t making them spooked and that the real reason for the cyberattack wasn’t something much different. The real reason for the attack may not be clear for years to come but I seriously doubt it was because the movie “The Interview”. I would say I challenge the theatres to release the movie now, just to see what the G.O.P would do. Nothing, I am betting. Some food for thought.

1> Could this of been an employee of Sony who was Disgruntled?
2> Could this of been China, and they are trying to stop people from asking questions?
3> Could the SMB Worm be a way to hide their true intentions?
4> Could the GOP be linked to the “ISIS” group because of the 9/11 threat?

Again, I am really skeptical it was the Movie that was the reason for the attack and I also believe the NK is just using this excuse to rattle the cages. I still do not think they were the actual perps of the attack though.

Folks there is far more to this story than meets the eye. IMHO this is blow back for a propaganda effort on our part that backfired.

Let’s review: the writer of “The Interview” says he used a fictitious name for the character.

Sterling: “It never occurred to me that we would be allowed to use the real leader’s name. I wrote the script without any instructions from anybody, with a fake name. At the time, Kim Jong-il was the leader of North Korea. I wrote a name called Kim Il-hwan, and that was the version that the studio green-lit. ”

“A series of leaked emails reveal that Sony enlisted the services of Bruce Bennett, a senior defense analyst at the RAND Corporation who specializes in North Korea, to consult with them on The Interview.”

Bennett specializes in “War Games”, “Preparing for the possibility of a North Korean collapse,” nuclear deterrence and other stuff like that.

Now I don’t know about you but bringing in the Rand Corporation (CIA front) North Korean defense and military expert to consult on a broad comedy is a little weird.

Bennet: “In fact, when I have briefed my book on ‘preparing for the possibility of a North Korean collapse’ [Sept 2013], I have been clear that the assassination of Kim Jong-Un is the most likely path to a collapse of the North Korean government. Thus while toning down the ending may reduce the North Korean response, I believe that a story that talks about the removal of the Kim family regime and the creation of a new government by the North Korean people (well, at least the elites) will start some real thinking in South Korea and, I believe, in the North once the DVD leaks into the North (which it almost certainly will). So from a personal perspective, I would personally prefer to leave the ending alone.”

Okay so Bennet is hoping the film leads to regime change by causing the N. Koreans rise up and assassinate their leader. Provocative?

So Lynton speaks to an unnamed “U.S. government official.”
Way back in June.
Lynton: “Spoke to someone very senior in State (confidentially). He agreed with everything you have been saying. Everything.”

Now we have the State Department, an Ambassador and the Rand Corporation involved in the development of this broad slapstick comedy.
But then the State Department admits that Daniel Russel is involved: Assist. Sec of State. He was also advising Sony. Russell say he also designated a point person in the State department to deal with the development of the broad slapstick comedy.

1) Sony screened a rough cut version of the film FOR THE STATE DEPARTMENT.

2) One of the Sony execs is on the Board of Directors of the Rand Corporation.

I think a good case could be made that Sony and the lunatics at the State Department set this whole thing – much like Victoria Nuland and the neocons at the State Department created the Ukraine coup and subsequent crisis – and whoever the hackers are, they jumped on it once they realized it.

Remember 9/11? What did the FBI or CIA know about that?-NOTHING! What did they know about Iraq?-NOTHING! What did they know about Cuba-NOTHING! And yet, already we hear the David Frum/George Bush/Republican “Evil Empire” phrase, trying to implicate Iran, Syria/Iraq and North Korea in this hacking plot. How about the recent downsizing by Sony where key long-time employees were let go, all with sensitive (and very exclusive) passwords within their knowledge, and obviously some pissed off at losing their jobs! AND, not for a second do I believe that North Korea has the hackers to accomplish such a feat, (and all further communication in perfect English-did you notice that?) but even if they did, what would be the American reaction to a world-wide movie produced by North Korea, which included blowing up President Obama’s head in an assignation attempt, or the Prime Minister of Israel`s head! I would guess that in the former case, most Republicans and most living below the Mason Dixon line, a lot of racists included, would be happy. Pitty! You people are really dumb for all the opportunity you have for education. Great Blog as always!!

Ten’ll get you one this was a false flag attack by the NSA and/or the feebs.

How do I know? For years they were trying to ram through CISPA, which would permit companies to freely share all data (such as customer info) with the feds/military allegedly for “cyber security” purposes. Then the Snowden leaks happened, and made clear what smart people already suspected: that the real purpose for CISPA was to legalize surveillance practices that were already in place, after the fact, and to immunize all corporations not already immunized for their participation in surveillance — notably, so PRISM participants could not be sued for privacy breach.

Of course, now they also want mightily to distract from and/or justify the stuff exposed in the Snowden leaks, and since a few days ago also the stuff exposed in the torture report.

Hence this perfectly timed cyberattack on an American corporation allegedly perpetrated by a foreign “advanced persistent threat”.

Based on the reveals about Sony’s close connections with the State Department on this film and also the Cybersecurity Bill that has been lagging in Congress, I, too, am beginning to get that twitchy “false flag” feeling…

At best, it appears that the US is jumping on this hack by whoever to justify ramping up tensions with North Korea – and probably will use it as justification for passing some sort of legislation to regulate the Internet more.

“Jeffrey Carr, cybersecurity expert and CEO of Taia Global, is one of the skeptics. He told Mashable that ‘one of the biggest mistakes is that because an attack can be traced to the North Korean Internet that somehow means it’s the North Korean government. That’s a false assumption, because the North Korean Internet is basically provided by outside companies, in this case a Thai company. Nothing presented excludes alternate scenarios.’ Carr notes that it appears the FBI is getting most of its intelligence from private security companies, without vetting or verifying that information.”

From the “The Verge” column “Stuxnet source code could open a Pandora’s Box of cyberwarfare”: “Now that the Stuxnet source code is available for download (it took a CBS producer about a week to find it on ‘hacking sites’), it can be studied and possibly repurposed and repackaged by any motivated individual or organization ”

Is the previous North Korean malware code available on such sites? Has anyone even checked? If so, want to FRAME a country? Use segments of their code that’s available on-line.

Finally, I find it hard to believe that the malware labs of North Korea or any country no matter how small don’t have a single person available who can write threats in proper English. A lone hacker or small group probably wouldn’t as indicated by the poor English typically found in their all-too-common malware.

In the end it doesn’t really matter who did this attack on Sony. This attack was a terrific wake-up call for all organizations – corporate, government, military, etc – and end users to pay more attention to their cyber-security.

I don’t foresee the whole scheme of internet openess changing–and thus such an event may someday happen on a bigger scale (sometimes I welcome it as a small example of a “wake up”). “How bad does it have to get”–I’m coming to not care about businesses getting breached. Many have been breached when I personally haven’t been breached. Businesses keep losing other people’s information (it’s not diminishing, it’s getting worse–some wake up call as the months keep rolling by with increasing and a bigger breach happens at another business). Let’s see: What could possibly be bigger than Sony PE being wiped? (Wipe the IRS? Wipe something in NYC? Etc.)

First, I don’t buy anything the FBI is selling, second when I hear things like “The agency added that it was “deeply concerned” about the destructive nature of this attack on a private sector entity and the ordinary citizens who work there”

and

““Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States,””
I see propaganda, “never waste a crisis”.
Corporations have been warned about hacking since the 90’s, if they insist on storing things accessible to the Internet this is what they get.
It’s business as usual, no big deal, and frankly after what Snowden released no one should be listening to the FBI much less trusting them.

It’s more like a top secret covert mission between the N.S.A. and F.B.I. to hack S.P.E. and then put the sole blame on North Korea. This then would give the United States government a excuse to cyber attack the country to shut down the single internet connection going into P’yongyang from China.

I’m kind of laughing at the notion some people believe, that North Korea wouldn’t have the skills to do this….lol really? what planet do you live on?

Sony is always getting hacked, hellooo, by 15 year olds! Banks get hacked, freaking las vegas casinos was getting hdd’s wiped in february it finally came out. They coudln’t do anything but start pulling computers out of the walls.

Like Hector Monsegur said, THERE IS NO SECURITY. I mean wakeup. It could of been anybody including North Korea. Hiring IT guys doesn’t protect peoples computers, period. SPE was filled with a bunch of hollywood types lucky they knew how to read their emails.

NSA made prism, for the simple fact they have no other advantage. everyone is on their level now and that scares them.

Kim Jun was probably pissed and hired a bunch of Korean kids to hack them for kicks! haha.

On another note, those Koreans are real honorable gamers compared to russians and american servers which are full of cheaters. Thats why League of Legends got so popular and respected.

I was referring to the sense of honor in asian culture period. lets throw japanese and Chinese cultures in there too to make you happy? Granted alot of the “gold farmers” are asian. But imo League of Legends and Dota 2 are popular because of their sense of honor and how they cherish sports from around the world. Like golf and baseball.

and I’m just afraid of how the media breeds anti muslim hate, and anti cop hate, that they aren’t starting now to breed anti korean sentiments.

As for why the gov’t is blaming north korea for the latest sony hack. I’m starting to think they were getting lots of threats prior to the hack supposedly from NK, and apparenlty still are according to todays news reports. The fact we have absolutely no dialogue with them is probably an issue. The President might hav to call Dennis Rodman lol.

This was generally on-point, and your links were, as always, useful. But I do need to point out a problem with the bit about failing to keep track of where vital information is stored.

In short, it is an extremely difficult problem. The problem is two-fold.

1) Parts of the solution are simply not yet known, from a science perspective. Looking at a myriad PCs, and analyzing their content semantically is a hard problem in and of itself. Doing it efficiently, so that it works under any sort of continuous monitoring system, is even harder. From a theoritcal standpoint, that is not even possible; the best we will ever do is get incrementally better, through a lot of hard work.

Consider someone doing data analytics. A common interface to Big Data is to extract a subset of data from a central server, and do more crunching on a workstation via a spreadsheet or other tool.

How sensitive is that data? How long is it resident on that workstation? One reason for doing some local-to-workstation crunching is financial. Which brings us to the second point.

2) The economics can be horrible. We have remote desktop systems, which allow us to keep everything on a set of central servers, where we might have some hope of control.

This can be extremely expensive, often effortlessly reaching 7 figures. The power required of any particular PC is reduced, but the network bandwidth, storage, and CPU requirements mushroom. Admin expenses grow, and the network becomes even more a critical point of failure than it is now, in that if it goes down, people cannot even work on their local machines. The data aren’t there. So, in the analytics example, we download and do further crunching on a cheaper machine that we had to have anyway.

Plus, in many respects this is going back to mainframe-like computing, and the PC revolution happened for good reasons. Not the least of which is flexibility.

We are getting better at this. But the economics are challenging for many organizations, and solutions may be completely out of reach for many. Very small organizations may hold key technology related to materials science, etc. It’s not purely about, for example, giant defense contractors.

Considering both science and economic facets (and it is actually more complex than described here), this failure is often about ‘can not do it’, rather than ‘did not do it’.

I really believe it all boils down to whats more popular. If they switch to linux, then linux will probably become the most malware ridden eventually. Is that what you want? lol.

Do you really think linux has no gov’t backdoors? cough…systemd…cough. Are you one of those guys who like to play the definition game of viruses vs worms vs malware? as if there is any real difference? reverse bash shell anyone?

I tested linux for 2 months compiling grsec kernels, in conjunction with rbac rules and apparmor, or selinux and strong firewall rules, doing file integrity checks, everything I could and I got totally raped.

We would have even more hardened systems, but to be honest, they each have something the other doesn’t when you actually look.

For instance simple things like shutting off IGMP snooping in linux, without having to block it with firewall or in a custom kernel, compared to a simple terminal command in windows…. or running something similar to applocker, or a firewall based on such in linux….etc..

I understand why people always feel the need to blame users. Because the fact is, if you actually do things on your pc and make alot of connections, your vulnerable no matter what O/S you use and no matter who you are.

The breach was not conducted by North Korea. Let’s all move past that notion. There are too many glaring indicators that prove it’s not NK. Here is a great blog post by Marc Rogers. It couldn’t be anymore spot on.

I agree it is pretty ridiculous to claim its NK because of IP addresses and similar malware.

When the malware is probably sold and hackers never use their own IP addresses. Thats at least better then saying they don’t have the capability… He also brings up a good point about the fact the korean was so bad it was as if they used google translate lol.

None of this proves it wasn’t NK though, and its still possible the FBI has methods or evidence they can’t share. Or that SONY was getting threats beforehand. Although, this also wouldn’t necessarily mean it was state sanctioned which is why I’m sure Obama dialed it back.

It’s unfortunate that this happened to Sony, and as they pick up the pieces the message I’m reading is that it isn’t about if or when. It’s how much, and if you’ve been able to prepare for what comes at you.